The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Sunday, June 07, 2009

Forensic4Cast and Links

Lee Whitfield of the Forensic4Cast podcast reached out to me this past week, and asked me to be a guest on his podcast on Wed, 10 June.

Lee's also taking nominations now through 21 June for Forensic4Cast Awards; be sure to place your vote in any or all of the various nomination categories. Take a look at the page to see how everything works, and dates for submissions, voting and the posting of the final results. While this isn't something huge that's going to get you a free pass to RSA next year or something, I do think that it's a great opportunity to show your appreciation for the work done in the various categories. See what Matt's posted as his nominations!

Didier's posted some links to PDF analysis tidbits...very cool! Didier's done a great deal of work in the area, and his work reminds me a lot of the ComputerBytesMan's work in the area of MSWord metadata extraction. Now, some folks are going to look at these links and ask, "...okay, but how can I use this?" Far too often, folks will post links to other blogs or blogposts without any real explanation of how the information is useful, valuable, or important. Well, when conducting analysis of a compromised system, one of the questions that comes up very often is, how was the system compromised? What was the infection vector? It's pretty trivial, really, to scan a mounted image with AV software or to locate files that an intruder may have copied onto the system...but sometimes (many times?) we need to find out how they got in. One means of doing so is to run file signature analysis tools across web browser and email attachment cache directories to locate things like PDF documents or Excel spreadsheets the may have been downloaded. Finding such documents, which have recently been identified as having vulnerabilities, may lead to identifying the initial source of compromise or infection.

Moyix recently posted some Windows 7 Registry hives for examination, based on a request from Tim Morgan. I'd taken a look at hives from a Windows 7 VM earlier this year, and found that while key locations may change between various revs and versions of the OS, the binary structure appears to remain the same. Thankfully, MS hasn't moved to an all-XML format for the Registry (right now, a lot of you out there are going, "Dude, shut up!!"). I've been running my RegRipper plugins against the hives and dude...they work great!

Speaking of Registry hives, reviews of Windows Forensic Analysis 2/e are already starting to appear! It appears that some folks really like the Registry analysis chapter...maybe this is something to take off on it's own...what do you think? Should Registry Analysis become it's own book? Personally, I think that there's more than enough information out there for this...let me know your thoughts. Or let Syngress know your thoughts.